Must Have: Most Needed Network Penetration Testing Tools
Network penetration testing tools (pentest) are most commonly used in the cybersecurity industry to identify vulnerabilities in networks and applications. This article lists the complete list of network security tools required to complete this test.
Scan / Pentest
OpenVAS is a multi-service and tool platform that offers a comprehensive and powerful vulnerability scanning and management solution.
The Metasploit platform is one of the best network security tools for developing and executing exploit code on a remote target machine. Other important subprojects include the opcode database, the shellcode archive, and related research.
Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. Kali Linux comes preinstalled with many penetration testing programs, including nmap (port scanner), Wireshark (packet sniffer), John the Ripper (password cracker), and Aircrack-ng (wireless LAN penetration testing software package).
pig is a Linux packaging tool.
scapy is an interactive python packet processing program and library.
Pompem is an open source network security tool designed to automate the search for exploits in key databases.
Nmap is a free and open source network discovery and security auditing utility.
Monitoring / logging
justniffer is a network protocol analyzer that captures network traffic and generates logs in a customizable way. Can emulate Apache web server log files, track response times, and extract all "caught" files from HTTP traffic.
httpry is a specialized packet sniffer designed to display and log HTTP traffic. The tool is not designed to perform the analysis itself, but to collect, analyze and log traffic for its subsequent analysis. The analyzer can be run in real time, displaying traffic as it is analyzed, or as a daemon process that registers in an output file. The tool is written to be as lightweight and flexible as possible so that it can be easily adapted to different applications.
ngrep is a tool that supports pcap , which allows you to specify extended regular or hexadecimal expressions to match against data packet payloads. The tool currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw over Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces and understands the BPF filtering logic in the same way as more common packet snooping tools. such as tcpdump and snoop.
passivedns is one of the best network security tools for passively collecting DNS records, as well as facilitating incident handling, network security monitoring (NSM), and general digital forensics. PassiveDNS monitors traffic from an interface or reads a pcap file and outputs the DNS server responses to a log file. Passive DNS can cache/aggregate duplicate DNS responses in memory, limiting the amount of data in the log file without losing value in the DNS response.
sagan is a tool that uses an engine similar to Snort and rules for parsing logs (syslog / event log / snmptrap / netflow / etc).
The Node Security Platform is a free tool that is used to detect and fix vulnerabilities in Node.js project dependencies. Helps developers identify and fix security issues in their code, preventing possible attacks on the application.
ntopng is a tool for checking network traffic. Allows you to analyze the flow of network traffic, including the detection and diagnosis of performance problems, as well as monitoring the use of channels and other network resources.
Fibratus is a tool for exploring and monitoring the Windows kernel. Capable of capturing most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and more. Fibratus has a very simple command line interface that encapsulates a mechanism for running a kernel event stream collector, setting kernel event filters, or running lightweight Python modules called filaments.
Network Intrusion IDs
Snort is a free and open source Network Intrusion Prevention System (NIPS) and Network Intrusion Detection System (NIDS).
Zeek (formerly Bro) is a powerful open source network analysis platform.
OSSEC is a scalable, multi-platform, host-based intrusion detection system (HIDS). Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and proactive response. Runs on most operating systems including Linux, macOS, Solaris, HP-UX, AIX and Windows. Lots of reasonable documentation. The advantage lies in medium to large deployments. However, it will take a lot of time to figure out how everything works.
Suricata is an open source information security incident detection (IDS) software that is used to detect network attacks and unwanted traffic.
Security Onion is a Linux distribution for intrusion detection, network security monitoring and log management. Based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other security tools.
sshwatch - DenyHosts-like IP addresses for SSH written in Python. It can also collect information about the attacker during the attack in the log.
Stealth is a file integrity check that leaves virtually no traces. The controller is launched from another computer, which makes it difficult for an attacker to get information that the file system is checked at certain pseudo-random time intervals via SSH. Highly recommended for small to medium deployments.
AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with learning capabilities without any human intervention, NIDS (Network Intrusion Detection System) functions, DNS domain classification, network data collector, network forensics and many more others.
Denyhosts is a tool to prevent SSH dictionary attacks and brute-force attacks.
Fail2Ban is a tool to scan log files and perform a series of actions on IP addresses that exhibit malicious behavior.
SSHGuard is a service protection software in addition to SSH, written in C.
Lynis is an open source security audit tool for Linux/Unix.
HoneyPot / HoneyNet
HoneyPy is open source software that is used to detect and collect information about intruders and their attacks. The software allows users to create virtual listeners for various protocols such as HTTP, FTP, Telnet, etc. and track their interaction with attackers. This allows you to obtain information about IP addresses, session identifiers, and the software used by intruders for further analytics and system protection.
Dionaea is an open source network security incident tracking tool. Dionaea was created to monitor various types of network attacks, including viruses, spyware, etc. The tool can be used to detect vulnerabilities in network hardware and software, as well as to collect information about attack methods of intruders.
Conpot (ICS/SCADA HoneyPot) is a server-side, low-interactivity honeypot for industrial control systems designed to be easily deployed, modified, and expanded.
Amun is a low interaction hook based on Python.
Glastopf is a network security incident tracking tool. Can emulate thousands of data mining vulnerabilities from attacks targeting web applications.
Kippo is a medium interaction SSH HoneyPot designed to log brute-force attacks.
Kojoney is a low-level interop honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
HonSSH is a highly interoperable HoneyPot solution. HonSSH will sit between the attacker and the HoneyPot, creating two separate SSH connections between them.
The Bifrozt is a NAT device with a DHCP server that is typically deployed with one NIC connected directly to the Internet and one NIC connected to the internal network. What sets Bifrozt apart from other standard NAT devices is its ability to act as a transparent SSHv2 proxy between the attacker and the honeypot.
HoneyDrive – HoneyDrive is the leading HoneyPot Linux distribution. This is a virtual appliance (OVA) with Xubuntu Desktop LTS edition installed. Contains over 10 pre-installed and pre-configured HoneyPot software packages such as Kippo, Dionaea, Amun, Glastopf and Wordpot, Conpot, Thug, PhoneyC, etc.
Cuckoo Sandbox is an open source software for automating the analysis of suspicious files. To do this, custom components are used that monitor the behavior of malicious processes while running in an isolated environment.
Full Packet Capture / Forensics
tcpflow is a program that captures data transmitted as part of TCP connections and stores the data in a way that is convenient for protocol analysis and debugging.
Xplico is a tool for extracting data contained in applications from Internet traffic. For example, from pcap files, Xplico extracts every email (POP, IMAP, and SMTP protocols), every HTTP content, every VoIP (SIP), FTP, TFTP call, and so on. Xplico is not a network protocol analyzer. Xplico is an open source network forensic analysis tool (NFAT).
Moloch is an open source system for large-scale IPv4 packet capture (PCAP) and indexing. A simple web interface is provided for browsing, searching and exporting PCAP. APIs are available that allow you to download PCAP data and session data in JSON format directly. Simple security is implemented with HTTPS and HTTP password support or with apache. Moloch is not intended to replace the IDS engines, but instead works alongside them to store and index all network traffic in the standard PCAP format for fast access. Moloch is built to be deployed on many systems and can scale to handle multi-gigabit/sec traffic.
OpenFPC is a set of tools that together provide a lightweight system for capturing and buffering network traffic with a complete package. The design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware, integrating with existing alert and log management tools.
Dshell is a network forensic analysis platform. Allows you to quickly develop plugins to support the analysis of intercepted network packets.
stenographer is a packet capture solution that aims to quickly download all packages to disk and then provide easy and fast access to subsets of those packages.
Sniffer based network security tools
wireshark is a free and open source packet sniffer. The tool is used for network troubleshooting, analysis, software and communication protocol development, and education. Wireshark is very similar to tcpdump but has a graphical interface and some built-in sorting and filtering options.
netsniff-ng is a free networking toolkit for Linux. A kind of Swiss knife. Performance gains are achieved through zero-copy mechanisms, so that when receiving and transmitting packets, the kernel does not need to copy packets from kernel space to user space and vice versa.
Live HTTP headers is a free add-on for Firefox that allows you to view browser requests in real time. The extension shows full request headers and can be used to find security loopholes in implementations.
SIEM - Network Security Tools
Prelude is a versatile SIEM system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events, regardless of the brand of product or license causing such events.
OSSIM - provides all the features that a security specialist needs from SIEM offerings - event collection, normalization and correlation.
FIR is a cybersecurity incident management platform.
VPN
OpenVPN is open source software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access. OpenVPN uses a security protocol that supports SSL/TLS for key exchange.
Fast Packet Processing
DPDK is a set of libraries and drivers for fast packet processing.
PFQ is a functional networking platform designed for the Linux operating system. Provides efficient packet capture/transfer, functional processing in the kernel, and packet forwarding through sockets/endpoints.
PF_RING is a new network socket type that greatly improves packet capture speed.
PF_RING ZC (Zero Copy) is a flexible packet processing platform that allows packet processing rates of 10 gigabits/s (both RX and TX) to be achieved at any packet size. Can be used for zero-copy operations, including inter-process and inter-process communication (KVM) patterns.
PACKET_MMAP / TPACKET / AF_PACKET - PACKET_MMAP can be used to improve the performance of the Linux capture and transfer process.
netmap is a platform for high speed packet I/O. Together with the accompanying VALE softswitch, it is implemented as a single kernel module and is available for FreeBSD, Linux, and Windows.
Firewall based network security tools
pfSense is a FreeBSD distribution for firewalls and routers.
OPNsense is an open source FreeBSD-based firewall and routing platform that is easy to use and build. OPNsense includes most of the features found in expensive commercial firewalls and more.
fwknop is a tool for dynamically managing firewall rules based on cryptographic authentication.
SpamAssassin is a powerful and popular email spam filter that uses various detection methods.
